Building a Cyber Security Office in a Healthcare setting
Posted 25th March 2019 by Joshua Sewell
This is the first instalment of a two-part blog post from Jothi Dugar, one of the pioneers in the field of Cyber Security. Here, Jothi shares her experience of Cyber Security and developing an Information Security Office in a healthcare setting.
Being the first CISO of a leading government healthcare organisation gave me great experience creating and developing an Information Security office from the ground up in a Healthcare setting, enabling me to become a thought leader and pioneer in this field. I experienced what it takes to impress the importance of Information Security among all staff to include: management, clinicians, scientists, researchers, and technical operations teams.
Developing a healthcare security posture from the ground up
I came into the healthcare setting from the Department of Defence. When it comes to security with the DOD, if there were security flaws or concerns in a system or application then there was no question of living with it: it had to be fixed. Bringing in that sort of mindset to the healthcare setting had its pros and cons.
In a positive sense, it brought in structure to the Healthcare organisation where I worked in an area that desperately needed organisation. It emphasised the importance of integrating security measures at the fundamental level of an implementation process. I used various risk management practices and innovative techniques to gear the organisation from a reactive posture to a proactive posture.
For example, these are some of the developments I have seen in a healthcare setting over the course of my career:
- Setting up security technical review boards that review any changes that might impact security.
- Involving Security in any project that involves the implementation of large or complex systems from the beginning. This ensures that the system requirements and project execution are secure. Any new system doesn’t go live until the Cyber Security team feel comfortable and willing to take any residual risks.
- Integrating Security into IT acquisition. Any purchasing of new systems, applications, software, or anything IT related, is passed through the Information Security office.
Integrating Security requirements into the acquisitions process
The posture of vendors towards Cyber Security has also progressed in recent years. Although Security has often been a part of any acquisition process, in some instances a vendor might not have been precluded from offering services if they fail to meet security standards. However, it is now common practice to give the vendor any security requirements up front and include it in a contract.
Other practices that have been initiated in the field are security agreements or memorandums of understanding when it comes to remote access for vendors. Now, there are often controls in place, requiring full documentation of which personnel has access and what they are authorised to do.
The commercial vendors are certainly getting used to working with healthcare organisations, particularly federal government organisation. Once they have worked with one federal institution, they know they will need to adopt these requirements whenever they do business with any other federal government healthcare organisation.
Classifying systems for security controls on medical devices
Trying to meet the compliance for normal CDRH standards is too much to ask for medical devices. Therefore, we created a medical device standard for ourselves. What we did is to formulate unlimited medical devices standards, so we do take into consideration some controls and design what a medical device is.
The way we classified medical device was with the FDA definition: that it does not contain any computerised components. When it has a computerised component built into it or it is connected to a computerised component it turns into a medical device system, and that’s where we add in a lot of additional controls.
We further classify it into whether it’s on the network or off the network. We also include a lot of logical controls, some physical where possible, and access controls.
Then there are controls concerning the storage of data: if PII or PHI data doesn’t to be stored on the medical device itself, then we ask that it be stored on a server that’s located in a properly secured datacentre. This means we can ensure that the server is encrypted and secured.
It’s essentially a shortened version of the FDA controls, where we included those which are most applicable for our context.
Opportunities to broaden recruitment strategies
While Cyber Security has developed significantly over the past few years, I still see many exciting opportunities for growth. I see the biggest opportunities when it comes to recruitment.
I don’t think we’re looking at all the possible avenues for recruitment, especially in the federal government. For example, the lowest-level security position can often require 5-10 years of experience. We are limiting ourselves with respect to who would apply for a low-level position job.
We also often limit ourselves by only looking for technical qualities. Of course, it helps to have a critical thinking mindset, but it is possible to get that from fields other than technology. I think it could benefit us to broaden the range of skills we recruit for. Perhaps we could start looking at college or entry-level recruits, who we then train in the necessary critical thinking and even social-emotional skills.
There’s such a broad skill set that is needed in Cyber Security. As I’ll share in my second article, a holistic approach can be so beneficial.
Jothi Dugar is CISO at the NIH Center for Information Technology, Office of the Director, USA. We look forward to welcoming her to CybSec and Blockchain Health.
The CybSec and Blockchain Health agenda is now available to view online. Download it now and see what experts from international healthcare organisations, academia and technology solution providers will be presenting on.
Leave a Reply